ISC 1 Flashcards

Question

Communicate

Answer 1

How should the org drive dialogue around privacy risks related to data processing activities

Answer 2

Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost

Answer 3

OMB - requires the controls for federal information systems FISMA - requires the implementation of minimum controls to protect federal info and info systems

Answer 4

Implement controls at the org level, which are adopted by info systems

Answer 5

Implement controls at the information system level

Answer 6

Implement controls at the org level where appropriate and the rest at the info system level

Answer 7

Detection and escalation: Cost to detect Notification: costs to notify parties Post-breach Response: Cost to rectify effects Loss of Business and Revenue: temp lost do to down time

Answer 8

Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security

Answer 9

Specifically governs electronic PHI. Under the security Rule all covered entities must: ensure the confidentiality, integrity, and availability of all electronic PHI; Protect against reasonably anticipated threats; Ensure compliance

Answer 10

Amended HIPPA: Increased penalties for HIPPA violations Required that patients receive the option to obtain records in electronic form Breach rule to notify within 60 days of discovery

Answer 11

European Unions general applicability law regulating the privacy of data

Answer 12

Data must be processed lawfully, fairly, and in a transparent manner

Answer 13

Data must be processed for specified, explicate, and legitimate purposes

Answer 14

Data processing must be adequate, relevant, and limited to what is necessary

Answer 15

Data must be accurate and kept updated

Answer 16

Data must be stored only for as long as necessary. storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes.

Answer 17

Data must be processed securely and protected against unauthorized access, accidental loss, destruction, or damage

Answer 18

A framework to apply to promote data security when processing payments

Answer 19

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor supplied defaults for system passwords

Answer 20

3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open networks

Answer 21

5. Protect all systems against malware and regularly update anti-virus software programs 6. Develop and maintain secure system applications

Answer 22

7. Restrict access to cardholder data through need to know restrictions 8. Identify and authenticate access to system components

Answer 23

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Answer 24

The Center for Internet Security. Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

Answer 25

Offense Informs Defense Focus Feasible Align Measurable

Answer 26

Controls should map to other top cybersecurity standards like NIST VS, COBIT, HIPPA

Answer 27

Controls should be simple and measurable, avoiding vague language

Answer 28

Controls are drafted based on data from actual CS attacker behavior and how to defend against it

Answer 29

Controls should help prioritize the most critical problems and avoid resolving every CS issue

Answer 30

All recommendations should be practical

Answer 31

Group is for small or mid sized orgs that have limited CS defense mechanisms in place

Answer 32

Group is for companies that have IT staff who support multiple departments that have various risk profiles and typically handle sensitive client data

Answer 33

Group for companies that have security experts in all domains within CS such as penetration testing, risk management, and application security.

Answer 34

Inventory and Control of Enterprise Assets: Helps orgs actively track and manage all IT assets connected to a company's IT infrastructure physically or virtually with a cloud environment

Answer 35

Inventory and Control of Software Assets: Provides recommendations for orgs to track and actively manage all software applications so that only authorized software can be installed

Answer 36

Data Protection: Helps orgs develop ways to securely manage the entire life cycle of their data

Answer 37

Configuration of Enterprise Assets and Software: this control helps orgs establish and maintain secure baseline configurations for their enterprise assets

Answer 38

Account Management: Outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications

Answer 39

Access Control Management: Control expands on 5 by specifying the type of access that user accounts should have

Answer 40

Continuous Vulnerability Management: Control assists org in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows

Answer 41

Audit Log Management: Control establishes an enterprise log management process so that organizations can be alerted and recover from an attack in real time

Answer 42

Malware Defense: assists companies in preventing the installation and propagation of malware onto company assets and its network

Answer 43

Email and Web Browser Protections: Provides recommendations on how to detect and protect against cybercrime attempted through email or the internet

Answer 44

Data Recovery: Establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets

Answer 45

Network Infrastructure Management: This control establishes procedures and tools for managing and securing a company's network infrastructure

Answer 46

Network Monitoring and Defense: Establishes processes for monitoring and defending a company's network infrastructure against internal and external security threats

Answer 47

Security Awareness and Skill Training: Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk

Answer 48

Service Provider Management: helps organizations develop processes to evaluate third party service providers that have access to sensitive data or that are responsible for managing some or all of a company's IT functions

Answer 49

Application Software Security: establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house to detect, deter and resolve CS weaknesses before they are exploited

Answer 50

Incident Response Management: Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential CS attacks

Answer 51

Penetration Testing: Control helps organizations test the sophistication of their CS defense system in place by simulating actual attacks in effort to find and exploit weakness.

Answer 52

Control Objectives for Information and Related Technologies provides a road map that organizations can use to implement best practices for IT governance and management.

Answer 53

Governance Distinct from Management (Distinct) End to end governance system (End to end) Tailored to enterprise needs (Tailored) Provide stakeholder Value (Value) Holistic approach (Holistic) Dynamic governance system (Dynamic)

Answer 54

Based on conceptual model Open and flexible Aligned to major standards

Answer 55

gov system should create value for the company's stakeholders by balancing benefits, risks, and resources

Answer 56

gov systems for IT can comprise diverse components, collectively providing a holistic model.

Answer 57

When a change in one gov system occurs, the impact on all others should be considered so that the system continues to meet the demands of the organization. continue to be relevant while adjusting as a new challenge arises

Answer 58

Management activities and governance systems should be clearly distinguished from each other because they have different functions

Answer 59

gov models should be customized to each individual company, using design factors to prioritize and tailor the system

Answer 60

All processes in the org involving info and tech should be factored into an end to end approach

Answer 61

One domain: evaluate, direct, and monitor (EDM): those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether they are being met

Answer 62

Four domains Align, plan and organize (APO) Build, acquire, and implement (BAI) Deliver, service, and support (DSS) Monitor, evaluate, and assess (MEA)

Answer 63

Ensuring benefits delivery Governance framework setting Risk optimization Resource optimization Stakeholder engagement

Answer 64

Focuses on aligning information tech overall strategy, planning how to utilize technology in business operation of the organization, and organizing the resources for their most effective and efficient usage. 14 objectives - managed data is most significant

Answer 65

Addresses the building, acquiring, and implementation of information technology solutions in the organizations business processes. 11 objectives, offering guidance on requirements definition, identifying solutions, managing capacity, availability, org change...

Answer 66

Addresses the delivery, service, and support of IT services. 6 objectives - service request is most important

Answer 67

Addresses information tech conformance to the company's performance targets and control objectives along with external requirements. Accomplished through continuous monitoring, evaluation, and assessment of info tech systems. 4 objectives - managed system of internal control is most important

Answer 68

Processes: activities to achieve goals Organizational Structures: decision making entities Principals, Policies and Frameworks: Information: info needed for gov system to work Culture, Ethic, and Behavior: tone at top People, Skills, and Competencies: needed to make sound decisions Services, Infrastructure, and Applications: gov system tools and resources needed for info tech processing

Answer 69

Enterprise Strategy Enterprise Goals Risk Profile Information and Technology Issues Threat Landscape Compliance Requirements Role of IT Sourcing Model for IT IT Implementation Methods Technology Adoption Strategy Size of Company

Answer 70

Designed so that companies could adopt its recommendations in a way that is customized to their own needs

Answer 71

Introduces the core concepts of the framework

Answer 72

Provides a outline of the 40 management and governance objectives, components and references

Answer 73

Covers design topics that influence governance as well as a guideline for designing a customized gov system

Answer 74

Provides a road map for continuous improvements when designing information tech gov systems -used in conjunction with design guide